Labels and taints

Workload placement controls and examples.

Labelling nodes

The hybrid cluster comprises of a virtual master node and bare-metal worker node with a single load balancer.

kubectl get nodes

NAME       STATUS   ROLES           AGE   VERSION
master-1   Ready    control-plane   13m   v1.32.9
worker-gpu-1   Ready    <none>          12m   v1.32.9

Lets label the worker node:

kubectl label node worker-gpu-1 kubernetes.io/role=worker

node/worker-gpu-1 labeled

NAME       STATUS   ROLES           AGE   VERSION
master-1   Ready    control-plane   25m   v1.32.9
worker-gpu-1   Ready    worker          25m   v1.32.9

---

Tainting nodes

Control plane nodes (masters) have a taint by default to ensure that normal workloads (apps, deployments, etc.) don’t end up on them.

To confirm the control-plane node (master-1) already has the default taint run this command:

kubectl describe node master-1 | grep -A3 Taints

Taints: node-role.kubernetes.io/control-plane:NoSchedule

• This taint prevents regular workloads (pods without matching tolerations) from being scheduled on the control-plane
• Only system components, like kube-apiserver, etcd, coredns, or network plugins such as Calico, can run there, since they include explicit tolerations for this taint

If, for some reason the taint was removed, it can be reapplied by this command:

kubectl taint nodes master-1 node-role.kubernetes.io/master=:NoSchedule

• kubectl taint nodes: applies or removes taints on one or more nodes.
• master-1: the name of the node being tainted.
• node-role.kubernetes.io/master: the key of the taint (a label-like identifier).
• =: since no value is provided, it’s set as an empty string.
• NoSchedule. The effect of the taint: → means “do not schedule any new pods that don’t tolerate this taint.”

---

Removing a taint

To remove it (if you want to schedule pods on the master) run this command:

kubectl taint nodes master-1 node-role.kubernetes.io/master:NoSchedule-

That trailing dash (-) removes the taint.